K
Q

ServicePrincipalNotFound in Active Directory tenant *** - Passing secure variables in Powershell from Azure DevOps

10/26/2019

I am executing an ARM template which create an Azure Kubernetes Service and other resources from an Azure resource group deployment task.

My ARM template have as a parameters servicePrincipalClientId and servicePrincipalClientSecret sensitive data, which are used to create the Azure Kubernetes cluster, just right here. (This link is my complete ARM template)

So, that I am doing is the following:

  • I've created the servicePrincipalClientId and servicePrincipalClientSecret as pipeline variables

enter image description here

  • I previously create the service principal and its servicePrincipalClientId and servicePrincipalClientSecret data, I am using them to create a service connection in order to connect to Azure cloud of this way:

enter image description here

  • I have a PowerShell task to convert the servicePrincipalClientId and servicePrincipalClientSecret variable values as a secure strings of this way:
$env:secretServicePrincipalClientId = ConvertTo-SecureString '$($env:servicePrincipalClientId)' -AsPlainText -Force

$env:secretServicePrincipalClientSecret = ConvertTo-SecureString '$($env:servicePrincipalClientSecret)' -AsPlainText -Force

  • To Deploy the resources defined in the ARM template I've created an Azure resource group Deployment task with the following options:

  • I am using the service connection created to interact with my subscription.

  • Action to be performed: Create or Update resource group

  • Template, the ARM template path referenced above.

  • Override template parameters I included here all the ARM template parameters values and I want to emphasize here the way how I am referencing the servicePrincipalClientId and servicePrincipalClientSecret variable values:

I am referencing here the secretServicePrincipalClientId and secretServicePrincipalClientSecret variables that I used to convert servicePrincipalClientId and servicePrincipalClientSecret variable values as a secure strings above in my first azure devops task

-servicePrincipalClientId $($secretServicePrincipalClientId) 
-servicePrincipalClientSecret $($secretServicePrincipalClientSecret) 
   .
   .
-serviceCidr "100.0.0.0/16" 
-dnsServiceIP "100.0.0.10" 
-dockerBridgeCidr "172.17.0.1/16" 
   .
   .

So, when I execute the release pipeline, I got this error in the Azure resource group deployment task

2019-10-26T20:05:13.3246017Z The detected encoding for file 'd:\a\r1\a\Project\Deployments\ARMTemplates\Infrastructure\AzResourceGroupDeploymentApproach\testing.json' is 'utf-8'
2019-10-26T20:05:13.3410693Z Starting Deployment.
2019-10-26T20:05:13.3412081Z Deployment name is AzureDevOpsDeployment


2019-10-26T20:05:18.1729784Z There were errors in your deployment. Error code: InvalidTemplateDeployment.
2019-10-26T20:05:18.1730624Z ##[error]The template deployment 'AzureDevOpsDeployment' is not valid according to the validation procedure. The tracking id is 'xxxxxxx'. See inner errors for details.
2019-10-26T20:05:18.1731223Z ##[error]Details:


2019-10-26T20:05:18.1732062Z ##[error]ServicePrincipalNotFound: Provisioning of resource(s) for container service KubernetesCluster-aks in resource group testing failed. Message: {
  "code": "ServicePrincipalNotFound",
  "message": "Service principal clientID: $($secretServicePrincipalClientId) not found in Active Directory tenant ***, Please see https://aka.ms/aks-sp-help for more details."
 }. Details: 

2019-10-26T20:05:18.1733305Z ##[error]Task failed while creating or updating the template deployment.
2019-10-26T20:05:18.1765718Z ##[section]Finishing: Azure Deployment:Create Or Update Resource Group action on testing

Looks like the service principal that I am using to connect to Azure cloud does not exist, but that's not true. That service principal exist.

If I include directly in plain text in the task the servicePrincipalClientId and servicePrincipalClientSecret values

-servicePrincipalClientId <servicePrincipalClientId-value> 
-servicePrincipalClientSecret <servicePrincipalClientSecret-value>

The Azure resource group task works and the resources in the ARM template are deployed in Azure cloud from Azure DevOps.

  • What the problem is?

According to this link AKS need a service principal to be created.

  • Also when we create an Azure Kubernetes Service using az cli the service principal is created automatically.

  • The same case happens when we create an Azure Kubernetes Service from Azure portal.

So I am creating an Azure Kubernetes Service from Azure Devops executing an ARM template via resource group deployment task using an existing Service principal credentials in the task and in the service connection.

  • Why my service principal is not recognized?

I try this option to troubleshoot and solve the problem, but I afraid that the problem is not the service principal itself, instead of it, I think I would need to reference the - servicePrincipalClientId $($secretServicePrincipalClientId) and
-servicePrincipalClientSecret $($secretServicePrincipalClientSecret) of an special way.

How can I do that?

If someone can point me in the right direction I would appreciate

-- bgarcial
azure-active-directory
azure-devops
azure-kubernetes
powershell
service-principal

Similar Questions

Kubernetes admission controllers check
Kubernetes, expose all ports
Kubernetes Nginx Ingress Controller on NodePort
How to generate kubeconfig user for a service-account?
x509: certificate signed by unknown authority metrics-server
Kubernetes pod to GCP Compute Engine VM communication

1 Answer

10/27/2019

I decided making easier the execution of the ARM template, removing the secure task where I was converting the values to secure-strings.

So, at the end, I have the pipeline variables defined of a normal way, having administratorLogin as a non encrypted variable there:

enter image description here

And in the Azure Resource Group deployment task I am doing:

  • Template: I select my ARM template

  • Deployment mode: Complete

    Complete mode deletes resources that are not in your template. [Warning] This action will delete all the existing resources in the resource group that are not specified in the template.

I chosen this mode, in order to have the idea of all the resources created in the platform came from the ARM template, in order to get a log of the resources or changes made to the infrastructure from the ARM template. Trying to apply the Infrastructure as code approach

  • Override parameters I decided include all the parameters values that I got from the ARM template, including the servicePrincipalClientId and servicePrincipalClientSecret variables of this way:
-administratorLogin "my-username" 
-administratorLoginPassword $(administratorLoginPassword)  
-environmentName "dev" 
-location "West Europe" 
-servicePrincipalClientId $(servicePrincipalClientId) 
-servicePrincipalClientSecret $(servicePrincipalClientSecret) 
         .
         .    
-serviceCidr "100.0.0.0/16" 
-dnsServiceIP "100.0.0.10" 
-dockerBridgeCidr "172.17.0.1/16" 
         .
         .

And the final execution result was:

enter image description here

2019-10-27T15:58:18.3523334Z ##[section]Starting: Azure Deployment:Create Or Update Resource Group action on sentia-assessment-testing
2019-10-27T15:58:18.3886841Z ==============================================================================
2019-10-27T15:58:18.3887055Z Task         : Azure resource group deployment
2019-10-27T15:58:18.3887210Z Description  : Deploy an Azure Resource Manager (ARM) template to a resource group and manage virtual machines
2019-10-27T15:58:18.3887334Z Version      : 2.157.4
2019-10-27T15:58:18.3887438Z Author       : Microsoft Corporation
2019-10-27T15:58:18.3887559Z Help         : https://docs.microsoft.com/azure/devops/pipelines/tasks/deploy/azure-resource-group-deployment
2019-10-27T15:58:18.3887710Z ==============================================================================


### WE CAN SEE HERE THAT AZ RESOURCE GROUP TASK CREATE THE RESOURCE GROUP
### IF IT DOES NOT EXIST. 

2019-10-27T15:58:19.3677672Z Checking if the following resource group exists: resource-group.
2019-10-27T15:58:19.6898000Z Resource group exists: false.
2019-10-27T15:58:19.6900439Z Creating resource Group: resource-group
2019-10-27T15:58:20.1586233Z Resource Group created successfully.
2019-10-27T15:58:20.1589727Z Creating deployment parameters.

############### THIS IS THE ARM TEMPLATE EXECUTED ##################

2019-10-27T15:58:20.1681560Z The detected encoding for file 'd:\a\r1\a\Github\Deployments\ARMTemplates\Infrastructure\AzResourceGroupDeploymentApproach\testing.json' is 'utf-8'

############### THIS IS THE ARM TEMPLATE EXECUTED END ##################

2019-10-27T15:58:20.1864884Z Starting Deployment.
2019-10-27T15:58:20.1866605Z Deployment name is AzureDevOpsDeployment_91
2019-10-27T16:13:20.7707558Z Successfully deployed the template.
2019-10-27T16:13:20.7834983Z ##[section]Finishing: Azure Deployment:Create Or Update Resource Group action on resource-group

Is this a good and simpler approach, but maybe the ideal scenario could be deal the variables mentioned above as a secure-strings and sharing their values across the different tasks in the release pipeline.

-- bgarcial
Source: StackOverflow